From c2c99e2860566044b23a5b3fded6f70b7436b9ad Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 15 Jan 2009 13:22:39 +0000 Subject: [PATCH] Update certificate hash line format to handle canonical format and avoid MD5 dependency. --- CHANGES | 7 +++++++ crypto/x509/x509.h | 1 + crypto/x509/x509_cmp.c | 18 +++++++++++++++++- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 66e812c809..ea5162d78c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,13 @@ Changes between 0.9.8j and 0.9.9 [xx XXX xxxx] + *) Enhance the hash format used for certificate directory links. The new + form uses the canonical encoding (meaning equivalent names will work + even if they aren't identical) and uses SHA1 instead of MD5. This form + is incompatible with the older format and as a result c_rehash should + be used to rebuild symbolic links. + [Steve Henson] + *) Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 62e01b1ff5..e779c334e5 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -963,6 +963,7 @@ unsigned long X509_subject_name_hash(X509 *x); int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); unsigned long X509_NAME_hash(X509_NAME *x); +unsigned long X509_NAME_hash_old(X509_NAME *x); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 180dedc7fa..ee234b04ad 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -198,11 +198,27 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) } +unsigned long X509_NAME_hash(X509_NAME *x) + { + unsigned long ret=0; + unsigned char md[16]; + + /* Make sure X509_NAME structure contains valid cached encoding */ + i2d_X509_NAME(x,NULL); + EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL); + + ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) + )&0xffffffffL; + return(ret); + } + #ifndef OPENSSL_NO_MD5 /* I now DER encode the name and hash it. Since I cache the DER encoding, * this is reasonably efficient. */ -unsigned long X509_NAME_hash(X509_NAME *x) + +unsigned long X509_NAME_hash_old(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; -- 2.25.1